Infoblox-SOC-Get-Insight-Details

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Content Index

Leverages the Infoblox SOC Insights API to enrich a Microsoft Sentinel Incident triggered by an Infoblox SOC Insight & ingest Insight details into custom InfobloxInsight tables. The tables are used to build the Infoblox SOC Insights Workbook. This playbook can be configured to run automatically when an incident occurs (recommended) or run on demand.

Attribute Value
Type Playbook
Solution Infoblox
Source View on GitHub

Tables Used

This content item queries data from the following tables:

Table Transformations Ingestion API Lake-Only
InfobloxInsightAssets_CL 🔶 ? ?
InfobloxInsightComments_CL 🔶 ? ?
InfobloxInsightEvents_CL 🔶 ? ?
InfobloxInsightIndicators_CL 🔶 ? ?
InfobloxInsight_CL 🔶

Logic App Connectors

This playbook uses 3 Logic App connectors / built-in actions:

Connector / Action Type Connections Actions
azureloganalyticsdatacollector Managed 1 5
azuresentinel Managed 1 2
http Built-in 0 6
Action parameters (URLs, paths, function IDs)

azureloganalyticsdatacollector (Managed)

Action Method Endpoint Other
Send_Summary_(Insight)_Data post /api/logs
Send_Asset_Data post /api/logs
Send_Indicator_Data post /api/logs
Send_Event_Data post /api/logs
Send_Comment_Data post /api/logs

azuresentinel (Managed)

Action Method Endpoint Other
Add_InfobloxInsightID_Tag put /Incidents
Update_Incident_Tags put /Incidents

http (Built-in)

Action Method Endpoint Other
Test_Connection_to_Infoblox_CSP GET https://csp.infoblox.com/api/v1/insights/@{items('For_Each_Object_GUID')?['properties']?['objectGuid']}
Get_Summary_Data GET https://csp.infoblox.com/api/v1/insights/@{items('For_each_Insight_ID')?['properties']?['objectGuid']}
Get_Asset_Data GET https://csp.infoblox.com/api/v1/insights/@{items('For_each_Insight_ID')?['properties']?['objectGuid']}/assets
Get_Indicator_Data GET https://csp.infoblox.com/api/v1/insights/@{items('For_each_Insight_ID')?['properties']?['objectGuid']}/indicators
Get_Event_Data GET https://csp.infoblox.com/api/v1/insights/@{items('For_each_Insight_ID')?['properties']?['objectGuid']}/events
Get_Comment_Data GET https://csp.infoblox.com/api/v1/insights/@{items('For_each_Insight_ID')?['properties']?['objectGuid']}/comments

Additional Documentation

📄 Source: Infoblox SOC Get Insight Details/readme.md

Infoblox SOC Get Insight Details

Summary

This playbook uses the Infoblox SOC Insights API to get all the details about an SOC Insight Incident. These Incidents are triggered by the Infoblox - SOC Insight Detected analytic queries packaged as part of this solution. These queries will read your data for insights and create an Incident when one is found, hereby known as a SOC Insight Incident.

Then, you can run this playbook on those incidents to ingest many details about the Insight, placed in several custom tables prefixed with InfobloxInsight. This data also builds the Infoblox SOC Insight Workbook you can use to richly visualize and drilldown your Insights.

It will also add several tags to the SOC Insight Incident.

This playbook can be configured to run automatically when a SOC Insight Incident occurs or run on demand.

Prerequisites

  1. User must have a valid Infoblox API Key.
  2. User must have a valid Workspace ID.
  3. User must have a valid Workspace Key.
  4. User must have created an analytics rule from a rule template.
  5. Configure the associated automation rule as specified below:
    • Go to Microsoft Sentinel → select your workspace → Automation → Create → Automation rule
    • Set Automation rule name
    • Condition → If:
      1. Incident provider → Select Microsoft Sentinel
      2. Analytic rule name → Select Analytic rule name created using step 4
    • Action → Select Run playbook
    • Select Infoblox-SOC-Get-Insight-Details playbook
    • Click on Apply

Deployment instructions

  1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
  2. Fill in the required parameters:
    • Playbook Name: Enter the playbook name here
    • Infoblox API Key: Enter valid value for API Key
    • Assets Data Ingestion: Provide true if you want to enable Assets data ingestion from SOC Insights. Default is false, Allowed values are true and false.
    • Comments Data Ingestion: Provide true if you want to enable Comments data ingestion from SOC Insights. Default is false, Allowed values are true and false.
    • Events Data Ingestion: Provide true if you want to enable Events data ingestion from SOC Insights. Default is false, Allowed values are true and false.
    • Indicators Data Ingestion: Provide true if you want to enable Indicators data ingestion from SOC Insights. Default is false, Allowed values are true and false.

Deploy to Azure Deploy to Azure Gov

Post-Deployment instructions

a. Authorize connections

Once deployment is complete, authorize each connection.

  1. Go to your logic app -> API connections -> Select azuremonitorlogs connection resource
  2. Go to General -> edit API connection
  3. Click Authorize
  4. Sign in
  5. Click Save
  6. Repeat steps for other connections

b. Assign Role to Update in incident

Assign role to this playbook

  1. Go to Log Analytics Workspace → select your workspace → Access Control → Add
  2. Add role assignment
  3. Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role
  4. Members: select managed identity for assigned access to and add your logic app as member
  5. Click on review+assign

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Playbooks · Back to Infoblox